How to Make Threat Modeling Work for You - Robert … to Make Threat Modeling Work for You...
Transcript of How to Make Threat Modeling Work for You - Robert … to Make Threat Modeling Work for You...
How to Make Threat Modeling Work for You
TECHIntersection
Monterey, CA • September 16, 2015
Robert Hurlbut RobertHurlbut.com • @RobertHurlbut
Robert Hurlbut
• Independent Software Security Consultant and Trainer • Owner / President of Robert Hurlbut Consulting Services • Microsoft MVP – Security Developer 2005-2009, 2015 • (ISC)2 CSSLP 2014-2017 • Speaker at user groups and conferences
• Contacts • Web Site: https://roberthurlbut.com/ • LinkedIn: https://www.linkedin.com/in/roberthurlbut/ • Twitter: @RobertHurlbut • Email: robert at roberthurlbut.com • Slides Location:
https://roberthurlbut.com/training/presentations http://snapboard.com/techintersection2015/SECURITY%20Intersection
© Robert Hurlbut Consulting Services 2015 2
3
What is threat modeling?
Threat modeling is the process of understanding your system and potential threats against your system.
A threat model allows you to assess the probability, potential harm, and priority of threats. Based on the model you can try to minimize or eradicate the threats.
© Robert Hurlbut Consulting Services 2015
4
Michael Howard* @michael_howard Sep 14, 2015
After years of working with clients, I have come to the conclusion that *ALL* Enterprise Architects need to understand threat modeling.
© Robert Hurlbut Consulting Services 2015 * From Microsoft, author of Secure Code 2, etc.
5
Threat modeling helps you …
Identify threats your system faces
Challenge assumptions
Prioritize other security efforts (pen test, review, fuzzing)
Document what you have learned
© Robert Hurlbut Consulting Services 2015
6
Definitions
Threat Agent
Someone (or a process) who could do harm to a system (also adversary or attacker)
© Robert Hurlbut Consulting Services 2015
7
Definitions
Threat
An adversary’s goal
© Robert Hurlbut Consulting Services 2015
8
Definitions
Vulnerability
A flaw in the system that could help a threat agent realize a threat
© Robert Hurlbut Consulting Services 2015
9
Definitions
Attack
When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability
© Robert Hurlbut Consulting Services 2015
10
Definitions
Asset Something of value to valid users and adversaries alike
© Robert Hurlbut Consulting Services 2015
11
When?
Make threat modeling part of your secure software and architecture design
What if I didn’t? It’s not too late to start threat modeling, but it will be more difficult to change major design decisions
© Robert Hurlbut Consulting Services 2015
12
Getting started
Gather documentation (requirements, high-level design, detailed design, etc.)
Gather your team (don’t make this one person’s job only!) Developers, QA, Architects, Project Managers, Business Stakeholders
Understand business goals
Understand technical goals
Agree on meeting date(s) and time(s)
Plan on 1-2 hours at a time spread over a week or weeks – keep sessions focused
© Robert Hurlbut Consulting Services 2015
13
Threat Modeling Process – Making it work
1. Draw your picture - model the system
2. List the elements – entities, processes, data, data flows
3. Identity the threats - Ask questions
4. Determine mitigations and risks
5. Follow through
© Robert Hurlbut Consulting Services 2015
Draw your picture
© Robert Hurlbut Consulting Services 2015
15
Model the system
• DFD – Data Flow Diagrams (from Microsoft SDL)
External
Entity
Process Multi-Process
Data Store Dataflow Privilege
Boundary
16
Model the System
Server Users Admin
Request
Response
Admin
Settings
Logging
Data
© Robert Hurlbut Consulting Services 2015
(Trust boundary)
17
Model the system
User
Admin
Authn
Engine
Audit
Engine
Service
Mnmgt
Tool Credentials
Data Files
Audit Data Request
Set/Get
Creds
Requested
File(s)
Audit
Re
qu
ests
Audit
Info
Audit
Re
ad
Audit
Write
Get
Creds
1
2
3
4
5
6
7
8
9
(Trust boundary)
18
Your threat model now consists of …
1. Diagram / visual model of your system
© Robert Hurlbut Consulting Services 2015
19
Identity the elements
User
Admin
Authn
Engine
Audit
Engine
Service
Mnmgt
Tool Credentials
Data Files
Audit Data Request
Set/Get
Creds
Requested
File(s)
Audit
Re
qu
ests
Audit
Info
Audit
Re
ad
Audit
Write
Get
Creds
1
2
3
4
5
6
7
8
9
(Trust boundary)
External Entities:
Users, Admin
Processes:
Service, Authn Engine,
Audit Engine, Mnmgt Tool
Data Store(s):
Data Files, Credentials
Data Flows:
Users <-> Service
Admin <-> Audit Engine
20
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
© Robert Hurlbut Consulting Services 2015
Identify threats
Attack Trees Threat Libraries (CAPEC, OWASP Top 10) Checklists (ex: OWASP Application Security Verification Standard (ASVS)) Use Cases / Misuse Cases STRIDE P.A.S.T.A. – Process for Attack Simulation and Threat Analysis (combining STRIDE + Attacks + Risk Analyses)
© Robert Hurlbut Consulting Services 2015 21
STRIDE Framework* for finding threats
Threat Property we want
Spoofing Authentication
Tampering Integrity
Repudiation Non-repudiation
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization
* Framework, not classification scheme. STRIDE is a good framework, bad taxonomy © Robert Hurlbut Consulting Services 2015
23
Identify Threats
Input and data validation
Authentication
Authorization
Configuration management
Sensitive data
Session management
Cryptography
Parameter manipulation
Exception management
Auditing and logging
© Robert Hurlbut Consulting Services 2015
24
Ask questions
How is authentication handled?
How about authorization?
Are we sending data in the open?
Are we using cryptography properly?
Is there logging? What is stored?
Etc.
© Robert Hurlbut Consulting Services 2015
25
One of the best questions …
Is there anything that keeps you up at night worrying about this system?
© Robert Hurlbut Consulting Services 2015
26
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
3. Threats identified through answers to questions
© Robert Hurlbut Consulting Services 2015
27
•Mitigation Options: • Leave as-is
• Remove from product
• Remedy with technology countermeasure
• Warn user
•What is the risk associated with the vulnerability?
Determine mitigations and risks
Determine mitigations and risks
Risk Management Bug Bar (Critical / Important / Moderate / Low)
FAIR (Factor Analysis of Information Risk) – Jack Jones
© Robert Hurlbut Consulting Services 2015 28
29
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
3. Threats identified through answers to questions
4. Mitigations and risks identified to deal with the threats
© Robert Hurlbut Consulting Services 2015
30
Follow through
Document what you found and decisions you make
File bugs or new requirements
Verify bugs fixed and new requirements implemented
Did we miss anything? Review again
Anything new? Review again
© Robert Hurlbut Consulting Services 2015
31
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
3. Threats identified through answers to questions
4. Mitigations and risks identified to deal with the threats
5. Follow through – a living threat model!
© Robert Hurlbut Consulting Services 2015
32
Your challenge
Add threat modeling to your toolkit
Consider threat modeling first (secure design, before new features, etc.)
Many ways … just do it!
© Robert Hurlbut Consulting Services 2015
Resources - Books
Threat Modeling: Designing for Security book by Adam Shostack
Securing Systems: Applied Architecture and Threat Models by Brook S.E. Schoenfield
Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis book by Marco Morana and Tony UcedaVelez
Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund
© Robert Hurlbut Consulting Services 2015 33
Resources - Tools
Whiteboard
Visio (or equivalent)
Word (or equivalent)
© Robert Hurlbut Consulting Services 2015
Resources - Tools
Microsoft Threat Modeling Tool 2014 http://www.microsoft.com/en-us/download/details.aspx?id=42518
Threat Modeler Tool 3.0 http://myappsecurity.com
Elevation of Privilege (EoP) Game http://www.microsoft.com/en-us/download/details.aspx?id=20303
OWASP Application Security Verification Standard (ASVS) https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
© Robert Hurlbut Consulting Services 2015 35
Questions?
• Contacts
• Web Site: https://roberthurlbut.com/
• LinkedIn: https://www.linkedin.com/in/roberthurlbut/
• Twitter: @RobertHurlbut
• Email: robert at roberthurlbut.com
• Slides Location:
https://roberthurlbut.com/training/presentations
http://snapboard.com/techintersection2015/SECURITY%20Intersection
© Robert Hurlbut Consulting Services 2015 36